Cloud Security - Closing the gap

Azure Confidential Computing

A common topic of concern that we hear from customers, and others in the technology sector is around security and in particular, how secure their data is in the public cloud. As a result cloud providers are investing huge amounts of money, with Microsoft spending £1bn on cyber security – mostly on its cloud offering, to help build confidence and capability to ensure cloud is secure.

Security is taken very seriously by cloud providers like Microsoft and understanding the security features they offer is the first step to get over any reservations you might have about moving to the cloud. Having visited many world class data centers, it is easy to feel more secure about your data when the facility feels more like fort Knox than a server room and you get to see first-hand all the security steps.

Physical security is a great first step to securing your data, having your data encrypted while it is at rest in the cloud or in transit by applying recognised transport level encryption approaches. These steps greatly reduce the risks of using the public cloud.

An area where until very recently there has been no satisfactory approach is during computation. In order for data to be utilised and its value to be realised, it has had to be decrypted and therefore providing a vector of attack. This is when you are most vulnerable.

Microsoft has an answer to this through their new security feature in Azure with what it has called ‘Confidential Computing’. Confidential Computing will allow applications running on Azure to keep data encrypted not only when it’s at rest (in storage) or in transit (over a network) but when its being computed on in-memory. This was unveiled just a couple of weeks ago and was demonstrated at Microsoft Ignite last week.

For users of Azure, Confidential Computing will provide them with additional security against;

Breaches of particular devices or hardware with access to data on Azure

Malware that exploits bugs in applications or the operating systems

Third party access to data.

How does Azure Confidential Computing work?Microsoft Azure will place a subset of your data and code into a secure environment called a Trusted Execution Environment (TEE) or as Microsoft call it an ‘Enclave’, while you use your data or code.

The main point here is that there is no external access into the TEE, from administrators, through direct access to hardware or through hackers of administrators of accounts. The data is encrypted and safe. When the data is accessible in areas of the public cloud it is encrypted in the cloud services and is only decrypted and processed within the TEE.

We see this having impact across the Azure range with particular focus on their database offerings, and with benefits across a range of industries. With this latest feature Microsoft could have closed one of the last remaining security gaps in cloud computing.